From 3753908abbe3df99cf0eabbe052771f2b3c8f7bd Mon Sep 17 00:00:00 2001
From: aldbr <aldbr@outlook.com>
Date: Sat, 21 Oct 2023 07:40:14 +0900
Subject: [PATCH 1/4] feat: integrate indigo IAM and restructure the chart

---
 README.md                                     |  7 +++
 demo/demo_cluster_conf.tpl.yaml               |  3 ++
 demo/values.tpl.yaml                          |  7 ++-
 diracx/templates/_helpers.tpl                 | 11 ++++
 .../deployment.yaml}                          |  0
 .../service.yaml}                             |  0
 .../{ => diracx}/cs-store-volume.yml          |  0
 diracx/templates/{ => diracx}/deployment.yaml |  6 +--
 .../diracx-container-entrypoint.yaml          |  0
 .../diracx-mysql-init-dbs.yaml}               |  0
 .../{ => diracx}/init-cs/_init-cs.sh.tpl      |  0
 .../{ => diracx}/init-cs/configmap.yaml       |  2 +-
 .../templates/{ => diracx}/init-cs/job.yaml   |  0
 .../init-secrets/_init-secrets.sh.tpl         |  0
 .../{ => diracx}/init-secrets/configmap.yaml  |  2 +-
 .../{ => diracx}/init-secrets/job.yaml        |  0
 .../init-secrets/rbac-config.yaml             |  0
 .../{ => diracx}/init-sql/_init-sql.sh.tpl    |  0
 .../{ => diracx}/init-sql/configmap.yaml      |  2 +-
 .../templates/{ => diracx}/init-sql/job.yaml  |  0
 diracx/templates/{ => diracx}/secrets.yaml    |  0
 diracx/templates/{ => diracx}/service.yaml    |  0
 .../{ => diracx}/serviceaccount.yaml          |  0
 .../{ => diracx}/tests/test-connection.yaml   |  0
 .../tests/indigo-iam/deployment.yaml          | 51 +++++++++++++++++++
 .../indigo-iam/init-iam/_init-iam.sh.tpl      |  4 ++
 .../tests/indigo-iam/init-iam/configmap.yaml  | 10 ++++
 .../tests/indigo-iam/init-iam/job.yaml        | 27 ++++++++++
 .../templates/tests/indigo-iam/secrets.yaml   | 24 +++++++++
 .../templates/tests/indigo-iam/service.yaml   | 16 ++++++
 diracx/values.yaml                            | 14 +++++
 31 files changed, 179 insertions(+), 7 deletions(-)
 rename diracx/templates/{web-deployment.yaml => diracx-web/deployment.yaml} (100%)
 rename diracx/templates/{web-service.yaml => diracx-web/service.yaml} (100%)
 rename diracx/templates/{ => diracx}/cs-store-volume.yml (100%)
 rename diracx/templates/{ => diracx}/deployment.yaml (97%)
 rename diracx/templates/{ => diracx}/diracx-container-entrypoint.yaml (100%)
 rename diracx/templates/{mysql-init-dbs.yaml => diracx/diracx-mysql-init-dbs.yaml} (100%)
 rename diracx/templates/{ => diracx}/init-cs/_init-cs.sh.tpl (100%)
 rename diracx/templates/{ => diracx}/init-cs/configmap.yaml (80%)
 rename diracx/templates/{ => diracx}/init-cs/job.yaml (100%)
 rename diracx/templates/{ => diracx}/init-secrets/_init-secrets.sh.tpl (100%)
 rename diracx/templates/{ => diracx}/init-secrets/configmap.yaml (80%)
 rename diracx/templates/{ => diracx}/init-secrets/job.yaml (100%)
 rename diracx/templates/{ => diracx}/init-secrets/rbac-config.yaml (100%)
 rename diracx/templates/{ => diracx}/init-sql/_init-sql.sh.tpl (100%)
 rename diracx/templates/{ => diracx}/init-sql/configmap.yaml (80%)
 rename diracx/templates/{ => diracx}/init-sql/job.yaml (100%)
 rename diracx/templates/{ => diracx}/secrets.yaml (100%)
 rename diracx/templates/{ => diracx}/service.yaml (100%)
 rename diracx/templates/{ => diracx}/serviceaccount.yaml (100%)
 rename diracx/templates/{ => diracx}/tests/test-connection.yaml (100%)
 create mode 100644 diracx/templates/tests/indigo-iam/deployment.yaml
 create mode 100644 diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl
 create mode 100644 diracx/templates/tests/indigo-iam/init-iam/configmap.yaml
 create mode 100644 diracx/templates/tests/indigo-iam/init-iam/job.yaml
 create mode 100644 diracx/templates/tests/indigo-iam/secrets.yaml
 create mode 100644 diracx/templates/tests/indigo-iam/service.yaml

diff --git a/README.md b/README.md
index 0caf6bb..cff7e67 100644
--- a/README.md
+++ b/README.md
@@ -163,6 +163,13 @@ Depending on the installation you perform, some tasks may be necessary or not. T
 | global.images.web.repository | string | `"ghcr.io/diracgrid/diracx-web/static"` |  |
 | global.images.web.tag | string | `"latest"` |  |
 | global.storageClassName | string | `"standard"` |  |
+| indigoiam.config.issuer | string | `"http://anything:32003"` |  |
+| indigoiam.enabled | bool | `true` |  |
+| indigoiam.image.repository | string | `"indigoiam/iam-login-service"` |  |
+| indigoiam.image.tag | string | `"v1.8.2"` |  |
+| indigoiam.service.nodePort | int | `32003` |  |
+| indigoiam.service.port | int | `8080` |  |
+| indigoiam.service.type | string | `"NodePort"` |  |
 | ingress.annotations | object | `{}` |  |
 | ingress.className | string | `"nginx"` |  |
 | ingress.enabled | bool | `true` |  |
diff --git a/demo/demo_cluster_conf.tpl.yaml b/demo/demo_cluster_conf.tpl.yaml
index 9b8982d..ec6fc12 100644
--- a/demo/demo_cluster_conf.tpl.yaml
+++ b/demo/demo_cluster_conf.tpl.yaml
@@ -32,3 +32,6 @@ nodes:
   - containerPort: 32002
     hostPort: 32002
     protocol: TCP
+  - containerPort: 32003
+    hostPort: 32003
+    protocol: TCP
diff --git a/demo/values.tpl.yaml b/demo/values.tpl.yaml
index ff52f1a..1b074c7 100644
--- a/demo/values.tpl.yaml
+++ b/demo/values.tpl.yaml
@@ -8,6 +8,7 @@ developer:
     diracx: https://{{ hostname }}:8000
     minio: http://{{ hostname }}:32000
     dex: http://{{ hostname }}:32002
+    iam: http://{{ hostname }}:32003
   demoDir: {{ demo_dir }}
   mountedPythonModulesToInstall: {{ mounted_python_modules }}
   editableMountedPythonModules: {{ editable_mounted_modules }}
@@ -17,7 +18,7 @@ init-cs:
   VOs:
     - name: diracAdmin
       IdP:
-        idp_url: http://{{ hostname }}:32002
+        idp_url: http://{{ hostname }}:32003
         idp_client_id: d396912e-2f04-439b-8ae7-d8c585a34790
       defaultGroup: admin
       Users:
@@ -65,3 +66,7 @@ dex:
       - email: "admin@example.com"
         hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
         username: "admin"
+
+indigoiam:
+  config:
+    issuer: http://{{ hostname }}:32003
diff --git a/diracx/templates/_helpers.tpl b/diracx/templates/_helpers.tpl
index 7d2bd18..003dc04 100644
--- a/diracx/templates/_helpers.tpl
+++ b/diracx/templates/_helpers.tpl
@@ -104,6 +104,17 @@ Return the name template for shared-secrets job.
 {{- default "init-secrets" $sharedSecretValues.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
+{{- define "init-iam.fullname" -}}
+{{- printf "%s-init-iam" .Release.Name -}}
+{{- end -}}
+
+{{- define "init-iam.jobname" -}}
+{{- $name := include "init-iam.fullname" . | trunc 55 | trimSuffix "-" -}}
+{{- $rand := randAlphaNum 3 | lower }}
+{{- printf "%s-%d-%s" $name .Release.Revision $rand | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+
 {{/*
 Create a default fully qualified job name for init-secrets.
 Due to the job only being allowed to run once, we add the chart revision so helm
diff --git a/diracx/templates/web-deployment.yaml b/diracx/templates/diracx-web/deployment.yaml
similarity index 100%
rename from diracx/templates/web-deployment.yaml
rename to diracx/templates/diracx-web/deployment.yaml
diff --git a/diracx/templates/web-service.yaml b/diracx/templates/diracx-web/service.yaml
similarity index 100%
rename from diracx/templates/web-service.yaml
rename to diracx/templates/diracx-web/service.yaml
diff --git a/diracx/templates/cs-store-volume.yml b/diracx/templates/diracx/cs-store-volume.yml
similarity index 100%
rename from diracx/templates/cs-store-volume.yml
rename to diracx/templates/diracx/cs-store-volume.yml
diff --git a/diracx/templates/deployment.yaml b/diracx/templates/diracx/deployment.yaml
similarity index 97%
rename from diracx/templates/deployment.yaml
rename to diracx/templates/diracx/deployment.yaml
index fa0a5bb..e073391 100644
--- a/diracx/templates/deployment.yaml
+++ b/diracx/templates/diracx/deployment.yaml
@@ -15,9 +15,9 @@ spec:
         {{- with .Values.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
-        checksum/settings: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
-        checksum/init-settings: {{ include (print $.Template.BasePath "/init-secrets/configmap.yaml") . | sha256sum }}
-        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx-container-entrypoint.yaml") . | sha256sum }}
+        checksum/settings: {{ include (print $.Template.BasePath "/diracx/secrets.yaml") . | sha256sum }}
+        checksum/init-settings: {{ include (print $.Template.BasePath "/diracx/init-secrets/configmap.yaml") . | sha256sum }}
+        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx/diracx-container-entrypoint.yaml") . | sha256sum }}
       labels:
         {{- include "diracx.selectorLabels" . | nindent 8 }}
     spec:
diff --git a/diracx/templates/diracx-container-entrypoint.yaml b/diracx/templates/diracx/diracx-container-entrypoint.yaml
similarity index 100%
rename from diracx/templates/diracx-container-entrypoint.yaml
rename to diracx/templates/diracx/diracx-container-entrypoint.yaml
diff --git a/diracx/templates/mysql-init-dbs.yaml b/diracx/templates/diracx/diracx-mysql-init-dbs.yaml
similarity index 100%
rename from diracx/templates/mysql-init-dbs.yaml
rename to diracx/templates/diracx/diracx-mysql-init-dbs.yaml
diff --git a/diracx/templates/init-cs/_init-cs.sh.tpl b/diracx/templates/diracx/init-cs/_init-cs.sh.tpl
similarity index 100%
rename from diracx/templates/init-cs/_init-cs.sh.tpl
rename to diracx/templates/diracx/init-cs/_init-cs.sh.tpl
diff --git a/diracx/templates/init-cs/configmap.yaml b/diracx/templates/diracx/init-cs/configmap.yaml
similarity index 80%
rename from diracx/templates/init-cs/configmap.yaml
rename to diracx/templates/diracx/init-cs/configmap.yaml
index 57077a8..263f091 100644
--- a/diracx/templates/init-cs/configmap.yaml
+++ b/diracx/templates/diracx/init-cs/configmap.yaml
@@ -11,5 +11,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-cs: |
-    {{- include (print $.Template.BasePath "/init-cs/_init-cs.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-cs/_init-cs.sh.tpl") . | nindent 4 }}
 {{- end -}}
diff --git a/diracx/templates/init-cs/job.yaml b/diracx/templates/diracx/init-cs/job.yaml
similarity index 100%
rename from diracx/templates/init-cs/job.yaml
rename to diracx/templates/diracx/init-cs/job.yaml
diff --git a/diracx/templates/init-secrets/_init-secrets.sh.tpl b/diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl
similarity index 100%
rename from diracx/templates/init-secrets/_init-secrets.sh.tpl
rename to diracx/templates/diracx/init-secrets/_init-secrets.sh.tpl
diff --git a/diracx/templates/init-secrets/configmap.yaml b/diracx/templates/diracx/init-secrets/configmap.yaml
similarity index 80%
rename from diracx/templates/init-secrets/configmap.yaml
rename to diracx/templates/diracx/init-secrets/configmap.yaml
index 83eb274..d333791 100644
--- a/diracx/templates/init-secrets/configmap.yaml
+++ b/diracx/templates/diracx/init-secrets/configmap.yaml
@@ -11,5 +11,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-secrets: |
-    {{- include (print $.Template.BasePath "/init-secrets/_init-secrets.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-secrets/_init-secrets.sh.tpl") . | nindent 4 }}
 {{- end -}}
diff --git a/diracx/templates/init-secrets/job.yaml b/diracx/templates/diracx/init-secrets/job.yaml
similarity index 100%
rename from diracx/templates/init-secrets/job.yaml
rename to diracx/templates/diracx/init-secrets/job.yaml
diff --git a/diracx/templates/init-secrets/rbac-config.yaml b/diracx/templates/diracx/init-secrets/rbac-config.yaml
similarity index 100%
rename from diracx/templates/init-secrets/rbac-config.yaml
rename to diracx/templates/diracx/init-secrets/rbac-config.yaml
diff --git a/diracx/templates/init-sql/_init-sql.sh.tpl b/diracx/templates/diracx/init-sql/_init-sql.sh.tpl
similarity index 100%
rename from diracx/templates/init-sql/_init-sql.sh.tpl
rename to diracx/templates/diracx/init-sql/_init-sql.sh.tpl
diff --git a/diracx/templates/init-sql/configmap.yaml b/diracx/templates/diracx/init-sql/configmap.yaml
similarity index 80%
rename from diracx/templates/init-sql/configmap.yaml
rename to diracx/templates/diracx/init-sql/configmap.yaml
index adef34e..99ad57e 100644
--- a/diracx/templates/init-sql/configmap.yaml
+++ b/diracx/templates/diracx/init-sql/configmap.yaml
@@ -11,5 +11,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-sql: |
-    {{- include (print $.Template.BasePath "/init-sql/_init-sql.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-sql/_init-sql.sh.tpl") . | nindent 4 }}
 {{- end -}}
diff --git a/diracx/templates/init-sql/job.yaml b/diracx/templates/diracx/init-sql/job.yaml
similarity index 100%
rename from diracx/templates/init-sql/job.yaml
rename to diracx/templates/diracx/init-sql/job.yaml
diff --git a/diracx/templates/secrets.yaml b/diracx/templates/diracx/secrets.yaml
similarity index 100%
rename from diracx/templates/secrets.yaml
rename to diracx/templates/diracx/secrets.yaml
diff --git a/diracx/templates/service.yaml b/diracx/templates/diracx/service.yaml
similarity index 100%
rename from diracx/templates/service.yaml
rename to diracx/templates/diracx/service.yaml
diff --git a/diracx/templates/serviceaccount.yaml b/diracx/templates/diracx/serviceaccount.yaml
similarity index 100%
rename from diracx/templates/serviceaccount.yaml
rename to diracx/templates/diracx/serviceaccount.yaml
diff --git a/diracx/templates/tests/test-connection.yaml b/diracx/templates/diracx/tests/test-connection.yaml
similarity index 100%
rename from diracx/templates/tests/test-connection.yaml
rename to diracx/templates/diracx/tests/test-connection.yaml
diff --git a/diracx/templates/tests/indigo-iam/deployment.yaml b/diracx/templates/tests/indigo-iam/deployment.yaml
new file mode 100644
index 0000000..1a6649b
--- /dev/null
+++ b/diracx/templates/tests/indigo-iam/deployment.yaml
@@ -0,0 +1,51 @@
+{{- if .Values.indigoiam.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: indigo-iam
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: iam
+  template:
+    metadata:
+      labels:
+        app: iam
+      annotations:
+        checksum/init-iam: {{ include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.sh.tpl") . | sha256sum }}
+    spec:
+      volumes:
+        - name: iam-secret
+          secret:
+            secretName: indigo-iam-init-secrets
+      containers:
+        - name: indigo-iam
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.indigoiam.image.repository }}:{{ .Values.indigoiam.image.tag }}"
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.indigoiam.service.port }}
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /.well-known/openid-configuration
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /.well-known/openid-configuration
+              port: http
+          env:
+          - name: IAM_KEY_STORE_LOCATION
+            value: "file:///etc/indigo-iam/keystore/iam-keystore.jwks"
+          - name: IAM_BASE_URL
+            value: "{{ .Values.indigoiam.config.issuer }}"
+          - name: IAM_ISSUER
+            value: "{{ .Values.indigoiam.config.issuer }}"
+          volumeMounts:
+          - name: iam-secret
+            mountPath: "/etc/indigo-iam/keystore"
+            readOnly: true
+{{- end}}
diff --git a/diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl b/diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl
new file mode 100644
index 0000000..47df6f7
--- /dev/null
+++ b/diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl
@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+set -x
+
+curl {{ .Values.indigoiam.config.issuer }}/.well-known/openid-configuration
diff --git a/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml b/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml
new file mode 100644
index 0000000..a81bb54
--- /dev/null
+++ b/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.indigoiam.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "init-iam.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+data:
+  init-iam: |
+    {{- include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.sh.tpl") . | nindent 4 }}
+{{- end -}}
diff --git a/diracx/templates/tests/indigo-iam/init-iam/job.yaml b/diracx/templates/tests/indigo-iam/init-iam/job.yaml
new file mode 100644
index 0000000..3b638ae
--- /dev/null
+++ b/diracx/templates/tests/indigo-iam/init-iam/job.yaml
@@ -0,0 +1,27 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: init-indigo-iam
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "1"
+spec:
+  ttlSecondsAfterFinished: {{ .Values.global.batchJobTTL }}
+  activeDeadlineSeconds: {{ .Values.global.activeDeadlineSeconds }}
+  template:
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: indigo-iam
+          image: "{{ .Values.indigoiam.image.repository }}:{{ .Values.indigoiam.image.tag }}"
+          imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+          command: ["/bin/sh", "/scripts/init-iam"]
+          volumeMounts:
+          - name: scripts
+            mountPath: /scripts
+      volumes:
+      - name: scripts
+        configMap:
+          name: {{ template "init-iam.fullname" . }}
+      restartPolicy: Never
diff --git a/diracx/templates/tests/indigo-iam/secrets.yaml b/diracx/templates/tests/indigo-iam/secrets.yaml
new file mode 100644
index 0000000..51c9798
--- /dev/null
+++ b/diracx/templates/tests/indigo-iam/secrets.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.indigoiam.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: indigo-iam-init-secrets
+stringData:
+  iam-keystore.jwks: |
+    {
+      "keys": [
+        {
+          "p": "1vffpIvQ67Bp1XmnxuuNhgHGoS4iCEbEJN9kV2oh39xRMw2L1Fx6RrgHb0t04KAE4IT_48Y9grta7OHUty4dMQ",
+          "kty": "RSA",
+          "q": "v673PmzSoiClcZ6U8Rcb4GyB1H76jfY3dTdZNBT5cSVEPhPCnGNWXFKPUj5qeT4CGneR9tdGU7U-_vRNPJg9yw",
+          "d": "XC1QH6W--Hh9fIsswXB2H0S44GvbrVD75XiJwrOgmrOhBK8MFR0X_eQ-9nBNPmZbAu9NKK5ixwIcE8J-OhQaOcDkepAf1DUo6iIlXgtbHvOtT3GHNgPHJ4C7XbnO9ieNDMrMr2tpmGnH2sebvXwLrzjKJCB09bS6yj71XGkyVKE",
+          "e": "AQAB",
+          "kid": "rsa1",
+          "qi": "P8KH-16jsDjJygzggeLxlJwHYFYPoie3hgB__aajO03GiRzYJojD5dBKEiQuo9SxJ43U5csHWYQeukz9X01-zw",
+          "dp": "VYF6_6RtkZI2RqeBSOpg_LCwJWSIPOqJEnGZI_wfRUAJPFljCTFPodmJe4d0EfUUe4nrjtpHlTyYyih5x_MbwQ",
+          "dq": "sxzUTZG0dOjaj8PmWy4Dz361BpIsoDC9e5tfkGo0-AQhs3wVcrrkPNqsr-ZA6dAGeSLX0vcv8RJArk4sSf3cZw",
+          "n": "oPXb81pZRmxmRJVHva49e5-NOToDdZ6XITpqt3RF-Ovehkd52Fm-t0FfKjJZxP7Q4d-nw1gk-r894uRJPAU9mx3yya9p7L5Xnr6rs8jmf_KF2buaYMUQ001wpsjJwznyGHWNqrBNB4_2-3U_uMGWyJB-C8Gy2-3aXjHRSQ-d0ts"
+        }
+      ]
+    }
+{{- end }}
diff --git a/diracx/templates/tests/indigo-iam/service.yaml b/diracx/templates/tests/indigo-iam/service.yaml
new file mode 100644
index 0000000..edd0120
--- /dev/null
+++ b/diracx/templates/tests/indigo-iam/service.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.indigoiam.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: iam-login-service
+spec:
+  type: {{ .Values.indigoiam.service.type }}
+  ports:
+    - port: {{ .Values.indigoiam.service.port }}
+      nodePort: {{ .Values.indigoiam.service.nodePort }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app: iam
+{{- end }}
diff --git a/diracx/values.yaml b/diracx/values.yaml
index f78ba45..859e865 100644
--- a/diracx/values.yaml
+++ b/diracx/values.yaml
@@ -326,6 +326,20 @@ dex:
 
 ##########################
 
+indigoiam:
+  enabled: true
+  config:
+    issuer: http://anything:32003
+  image:
+    repository: indigoiam/iam-login-service
+    tag: v1.8.2
+  service:
+    type: NodePort
+    port: 8080
+    nodePort: 32003
+
+##########################
+
 mysql:
   enabled: true
   auth:

From c7f77f14783758ed1a27e9af9d04df4fd6166ad0 Mon Sep 17 00:00:00 2001
From: aldbr <aldbr@outlook.com>
Date: Thu, 14 Dec 2023 16:16:36 +0100
Subject: [PATCH 2/4] feat: add init IAM script

---
 README.md                                     |   4 +-
 demo/values.tpl.yaml                          |  37 +-
 diracx/templates/_helpers.tpl                 |  11 -
 .../tests/indigo-iam/deployment.yaml          |   2 +-
 .../indigo-iam/init-iam/_init-iam.py.tpl      | 387 ++++++++++++++++++
 .../indigo-iam/init-iam/_init-iam.sh.tpl      |   4 -
 .../tests/indigo-iam/init-iam/configmap.yaml  |  16 +-
 .../tests/indigo-iam/init-iam/job.yaml        |  20 +-
 diracx/values.yaml                            |   5 +-
 9 files changed, 457 insertions(+), 29 deletions(-)
 create mode 100644 diracx/templates/tests/indigo-iam/init-iam/_init-iam.py.tpl
 delete mode 100644 diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl

diff --git a/README.md b/README.md
index cff7e67..27b8189 100644
--- a/README.md
+++ b/README.md
@@ -163,10 +163,12 @@ Depending on the installation you perform, some tasks may be necessary or not. T
 | global.images.web.repository | string | `"ghcr.io/diracgrid/diracx-web/static"` |  |
 | global.images.web.tag | string | `"latest"` |  |
 | global.storageClassName | string | `"standard"` |  |
+| indigoiam.config.initial_client.id | string | `nil` |  |
+| indigoiam.config.initial_client.secret | string | `nil` |  |
 | indigoiam.config.issuer | string | `"http://anything:32003"` |  |
 | indigoiam.enabled | bool | `true` |  |
 | indigoiam.image.repository | string | `"indigoiam/iam-login-service"` |  |
-| indigoiam.image.tag | string | `"v1.8.2"` |  |
+| indigoiam.image.tag | string | `"v1.8.3.rc.20231211"` |  |
 | indigoiam.service.nodePort | int | `32003` |  |
 | indigoiam.service.port | int | `8080` |  |
 | indigoiam.service.type | string | `"NodePort"` |  |
diff --git a/demo/values.tpl.yaml b/demo/values.tpl.yaml
index 1b074c7..4c79775 100644
--- a/demo/values.tpl.yaml
+++ b/demo/values.tpl.yaml
@@ -19,10 +19,10 @@ init-cs:
     - name: diracAdmin
       IdP:
         idp_url: http://{{ hostname }}:32003
-        idp_client_id: d396912e-2f04-439b-8ae7-d8c585a34790
+        idp_client_id: client
       defaultGroup: admin
       Users:
-      - sub: EgVsb2NhbA
+      - sub: 73f16d93-2441-4a50-88ff-85360d78c6b5
         preferredUsername: admin
         groups:
           - admin
@@ -70,3 +70,36 @@ dex:
 indigoiam:
   config:
     issuer: http://{{ hostname }}:32003
+
+    admin_user:
+      username: admin
+      password: password
+    initial_client:
+      name: "Admin client (read-write)"
+      id: admin-client-rw
+      secret: secret
+
+    users:
+      - username: jane_doe
+        given_name: Jane
+        family_name: Doe
+        password: password
+
+    clients:
+      - name: "Test client"
+        id: client
+        grant_types:
+          - refresh_token
+          - authorization_code
+          - urn:ietf:params:oauth:grant-type:device_code
+        scope:
+          - offline
+          - openid
+          - profile
+        redirect_uris:
+          - https://{{ hostname }}:8000/api/auth/device/complete
+          - https://{{ hostname }}:8000/api/auth/authorize/complete
+
+    groups:
+      dirac:
+        user: [jane_doe]
diff --git a/diracx/templates/_helpers.tpl b/diracx/templates/_helpers.tpl
index 003dc04..7d2bd18 100644
--- a/diracx/templates/_helpers.tpl
+++ b/diracx/templates/_helpers.tpl
@@ -104,17 +104,6 @@ Return the name template for shared-secrets job.
 {{- default "init-secrets" $sharedSecretValues.nameOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
 
-{{- define "init-iam.fullname" -}}
-{{- printf "%s-init-iam" .Release.Name -}}
-{{- end -}}
-
-{{- define "init-iam.jobname" -}}
-{{- $name := include "init-iam.fullname" . | trunc 55 | trimSuffix "-" -}}
-{{- $rand := randAlphaNum 3 | lower }}
-{{- printf "%s-%d-%s" $name .Release.Revision $rand | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-
-
 {{/*
 Create a default fully qualified job name for init-secrets.
 Due to the job only being allowed to run once, we add the chart revision so helm
diff --git a/diracx/templates/tests/indigo-iam/deployment.yaml b/diracx/templates/tests/indigo-iam/deployment.yaml
index 1a6649b..c27acd0 100644
--- a/diracx/templates/tests/indigo-iam/deployment.yaml
+++ b/diracx/templates/tests/indigo-iam/deployment.yaml
@@ -13,7 +13,7 @@ spec:
       labels:
         app: iam
       annotations:
-        checksum/init-iam: {{ include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.sh.tpl") . | sha256sum }}
+        checksum/init-iam: {{ include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.py.tpl") . | sha256sum }}
     spec:
       volumes:
         - name: iam-secret
diff --git a/diracx/templates/tests/indigo-iam/init-iam/_init-iam.py.tpl b/diracx/templates/tests/indigo-iam/init-iam/_init-iam.py.tpl
new file mode 100644
index 0000000..0518a96
--- /dev/null
+++ b/diracx/templates/tests/indigo-iam/init-iam/_init-iam.py.tpl
@@ -0,0 +1,387 @@
+import requests
+import json
+import os
+import time
+import logging
+import yaml
+
+from typing import List, Dict, Optional
+from pydantic import BaseModel, parse_obj_as, validator
+
+
+class User(BaseModel):
+    """User to create."""
+    username: str
+    password: str
+    given_name: Optional[str] = None
+    family_name: Optional[str] = None
+
+    @validator('given_name', pre=True, always=True)
+    def set_given_name(cls, v, values):
+        # Use the username to set the given_name if it's not provided
+        if v is None and 'username' in values:
+            return values['username'].capitalize()
+        return v
+
+    @validator('family_name', pre=True, always=True)
+    def set_family_name(cls, v, values):
+        # Set the family_name to an empty string if it's not provided
+        return v or ""
+
+
+class Client(BaseModel):
+    """Client to create/update."""
+    id: Optional[str] = None
+    secret: Optional[str] = None
+    name: str
+    grant_types: Optional[List[str]] = []
+    scope: Optional[List[str]] = []
+    redirect_uris: Optional[List[str]] = []
+
+    @validator('redirect_uris', pre=True, always=True)
+    def set_redirect_uris(cls, v, values):
+        # redirect_uris is required if grant_types contains "authorization_code" or "device_code"
+        grant_types = values.get('grant_types', [])
+        if not v and ('authorization_code' in grant_types or \
+                'urn:ietf:params:oauth:grant-type:device_code' in grant_types):
+            raise ValueError("redirect_uris is required")
+        return v
+
+
+class InitialClient(Client):
+    """Initial client used to get an admin token and modify the IAM instance."""
+    id: str
+    grant_types: Optional[List[str]] = ["client_credentials"]
+    scope: Optional[List[str]] = ["scim:read", "scim:write", "iam:admin.read", "iam:admin.write"]
+
+
+class Group(BaseModel):
+    """Group to create."""
+    __root__: Dict[str, List[str]]
+
+
+class Config(BaseModel):
+    issuer: str
+    admin_user: User
+    initial_client: InitialClient
+    users: Optional[List[User]] = []
+    clients: Optional[List[Client]] = []
+    groups: Optional[Dict[str, Group]] = {}
+
+
+def prepare_iam_instance(config_path):
+    """Prepare the IAM instance
+    """
+    try:
+        # Load and parse the configuration using Pydantic
+        with open(config_path, 'r') as file:
+            config_data = yaml.safe_load(file)
+        config = parse_obj_as(Config, config_data)
+    except FileNotFoundError:
+        logging.error("Config file not found")
+        raise RuntimeError("Config file not found")
+    except ValueError as e:
+        logging.error(f"Error parsing config file: {e}")
+        raise RuntimeError(f"Error parsing config file: {e}")
+    except Exception as e:
+        logging.error(f"Error parsing config file: {e}")
+        raise RuntimeError(f"Error parsing config file: {e}")
+
+    issuer = config.issuer
+
+    logging.info("Getting an IAM admin token")
+    # It sometimes takes a while for IAM to be ready so wait for a while if needed
+    for _ in range(5):
+        try:
+            tokens = _get_iam_token(issuer, config.initial_client)
+            break
+        except requests.ConnectionError:
+            logging.exception("Failed to connect to IAM, will retry in 10 seconds")
+            time.sleep(5)
+    else:
+        raise RuntimeError("All attempts to _get_iam_token failed")
+    initial_admin_access_token = tokens.get("access_token")
+
+    logging.info("Updating IAM initial client")
+    _create_or_update_iam_client(issuer, initial_admin_access_token, config.initial_client)
+    # We need to fetch a new token as the scope has probably changed
+    tokens = _get_iam_token(issuer, config.initial_client)
+    admin_access_token = tokens.get("access_token")
+
+    logging.info("Creating IAM clients")
+    for client in config.clients:
+        _create_or_update_iam_client(issuer, admin_access_token, client)
+
+    logging.info("Creating IAM users")
+    user_ids = {}
+    for user in config.users:
+        logging.info("Adding user %s" % user.username)
+        user_config = _create_iam_user(issuer, admin_access_token, user)
+        user_ids[user.username] = user_config["id"]
+
+    logging.info("Creating IAM groups")
+    # Groups
+    for group_name, group_details in config.groups.items():
+        group_config = _create_iam_group(issuer, admin_access_token, group_name)
+        group_id = group_config["id"]
+
+        # Subgroups
+        for subgroup_name, users in group_details.__root__.items():
+            subgroup_config = _create_iam_subgroup(issuer, admin_access_token, group_name, group_id, subgroup_name)
+            subgroup_id = subgroup_config["id"]
+
+            # Subgroups membership
+            for username in users:
+                _create_iam_group_membership(
+                    issuer,
+                    admin_access_token,
+                    username,
+                    user_ids[username],
+                    group_id,
+                )
+                _create_iam_group_membership(
+                    issuer,
+                    admin_access_token,
+                    username,
+                    user_ids[username],
+                    subgroup_id,
+                )
+
+
+def _get_iam_token(issuer: str, client: Client) -> dict:
+    """Get a token using the client credentials flow"""
+    query = os.path.join(issuer, "token")
+    params = {"grant_type": "client_credentials"}
+    response = requests.post(
+        query,
+        auth=(client.id, client.secret),
+        params=params,
+        timeout=5,
+    )
+    if not response.ok:
+        logging.error(f"Failed to get an admin token: {response.status_code} {response.reason}")
+        raise RuntimeError("Failed to get an admin token")
+    return response.json()
+
+
+def _create_or_update_iam_client(
+    issuer: str,
+    admin_access_token: str,
+    client: Client,
+) -> dict:
+    """Generate an IAM client"""
+    headers = {
+        "Authorization": f"Bearer {admin_access_token}",
+        "Content-Type": "application/json",
+    }
+    if client.id:
+        logging.info(f"Client {client.name} seems to exist, let's try to update it")
+
+        # Get the configuration of the client
+        query = os.path.join(issuer, "iam/api/clients", client.id)
+        response = requests.get(
+            query,
+            headers=headers,
+            timeout=5,
+        )
+        if not response.ok:
+            logging.error(
+                f"Failed to get config for client {client.name}: {response.status_code} {response.reason}"
+            )
+            raise RuntimeError(f"Failed to get config for client {client.name}")
+
+        # Update the configuration with the provided values
+        client_config = response.json()
+        client_config["client_name"] = client.name
+        client_config["scope"] = ' '.join(client.scope)
+        client_config["grant_types"] = client.grant_types
+        client_config["redirect_uris"] = client.redirect_uris
+        client_config["code_challenge_method"] = "S256"
+        if not client.secret:
+            client_config["token_endpoint_auth_method"] = "none"
+
+        # Update the client
+        response = requests.put(
+            query,
+            headers=headers,
+            data=json.dumps(client_config),
+            timeout=5,
+        )
+        if not response.ok:
+            logging.error(
+                f"Failed to update config for client {client.name}: {response.status_code} {response.reason}"
+            )
+            raise RuntimeError(f"Failed to update config for client {client.name}")
+        return response.json()
+
+    # Create the client
+    logging.info(f"Creating client {client.name}")
+
+    query = os.path.join(issuer, "iam/api/client-registration")
+    client_config = {
+        "client_name": client.name,
+        "scope": ' '.join(client.scope),
+        "grant_types": client.grant_types,
+        "redirect_uris": client.redirect_uris,
+        "token_endpoint_auth_method": "none",
+        "code_challenge_method": "S256",
+        "response_types": ["code"],
+    }
+
+    response = requests.post(
+        query,
+        headers=headers,
+        data=json.dumps(client_config),
+        timeout=5,
+    )
+    if not response.ok:
+        logging.error(
+            f"Failed to create client {client.name}: {response.status_code} {response.reason}"
+        )
+        raise RuntimeError(f"Failed to create client {client.name}")
+
+    return response.json()
+
+def _create_iam_user(issuer: str, admin_access_token: str, user: User) -> dict:
+    """Generate an IAM user"""
+    logging.info(f"Creating user {user.username}")
+
+    query = os.path.join(issuer, "scim/Users")
+    headers = {
+        "Authorization": f"Bearer {admin_access_token}",
+        "Content-Type": "application/scim+json",
+    }
+
+    user_config = {
+        "active": True,
+        "userName": user.username,
+        "password": user.password,
+        "name": {
+            "givenName": user.given_name,
+            "familyName": user.family_name,
+            "formatted": f"{user.given_name} {user.family_name}",
+        },
+        "emails": [
+            {
+                "type": "work",
+                "value": f"{user.given_name}.{user.family_name}@donotexist.email",
+                "primary": True,
+            }
+        ],
+    }
+
+    response = requests.post(
+        query,
+        headers=headers,
+        data=json.dumps(user_config),
+        timeout=5,
+    )
+    if not response.ok:
+        logging.error(
+            f"Failed to create user {user.username}: {response.status_code} {response.reason}"
+        )
+        raise RuntimeError(f"Failed to create user {user.username}")
+    return response.json()
+
+
+def _create_iam_group(issuer: str, admin_access_token: str, group_name: str) -> dict:
+    """Generate an IAM group"""
+    logging.info(f"Creating group {group_name}")
+
+    query = os.path.join(issuer, "scim/Groups")
+    headers = {
+        "Authorization": f"Bearer {admin_access_token}",
+        "Content-Type": "application/scim+json",
+    }
+    group_config = {"schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group"], "displayName": group_name}
+
+    response = requests.post(
+        query,
+        headers=headers,
+        data=json.dumps(group_config),
+        timeout=5,
+    )
+    if not response.ok:
+        logging.error(
+            f"Failed to create group {group_name}: {response.status_code} {response.reason}"
+        )
+        raise RuntimeError(f"Failed to create group {group_name}")
+    return response.json()
+
+
+def _create_iam_subgroup(
+    issuer: str, admin_access_token: str, group_name: str, group_id: str, subgroup_name: str
+) -> dict:
+    """Generate an IAM subgroup"""
+    logging.info(f"Creating subgroup {group_name}/{subgroup_name}")
+
+    subgroup_config = {
+        "schemas": ["urn:ietf:params:scim:schemas:core:2.0:Group", "urn:indigo-dc:scim:schemas:IndigoGroup"],
+        "urn:indigo-dc:scim:schemas:IndigoGroup": {
+            "parentGroup": {
+                "display": group_name,
+                "value": group_id,
+                r"\$ref": os.path.join(issuer, "scim/Groups", group_id),
+            },
+        },
+        "displayName": subgroup_name,
+    }
+
+    query = os.path.join(issuer, "scim/Groups")
+    headers = {
+        "Authorization": f"Bearer {admin_access_token}",
+        "Content-Type": "application/scim+json",
+    }
+
+    response = requests.post(
+        query,
+        headers=headers,
+        data=json.dumps(subgroup_config),
+        timeout=5,
+    )
+    if not response.ok:
+        logging.error(
+            f"Failed to create subgroup {group_name}/{subgroup_name}: {response.status_code} {response.reason}"
+        )
+        raise RuntimeError(f"Failed to create subgroup {group_name}/{subgroup_name}")
+    return response.json()
+
+
+def _create_iam_group_membership(
+    issuer: str, admin_access_token: str, username: str, user_id: str, group_id: str
+):
+    """Bind a given user to some groups/subgroups"""
+    membership_config = {
+        "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
+        "operations": [
+            {
+                "op": "add",
+                "path": "members",
+                "value": [
+                    {"display": username, "value": user_id, r"\$ref": os.path.join(issuer, "scim/Users", user_id)}
+                ],
+            }
+        ],
+    }
+
+    headers = {
+        "Authorization": f"Bearer {admin_access_token}",
+        "Content-Type": "application/scim+json",
+    }
+    query = os.path.join(issuer, "scim/Groups", group_id)
+
+    response = requests.patch(
+        query,
+        headers=headers,
+        data=json.dumps(membership_config),
+        timeout=5,
+    )
+    if not response.ok:
+        logging.error(
+            f"Failed to add {username} to {group_id}: {response.status_code} {response.reason}"
+        )
+        raise RuntimeError(f"Failed to add {username} to {group_id}")
+
+if __name__ == "__main__":
+    logging.basicConfig(level=logging.INFO)
+    prepare_iam_instance(os.getenv("CONFIG_PATH"))
diff --git a/diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl b/diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl
deleted file mode 100644
index 47df6f7..0000000
--- a/diracx/templates/tests/indigo-iam/init-iam/_init-iam.sh.tpl
+++ /dev/null
@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-set -x
-
-curl {{ .Values.indigoiam.config.issuer }}/.well-known/openid-configuration
diff --git a/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml b/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml
index a81bb54..1c003d3 100644
--- a/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml
+++ b/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml
@@ -2,9 +2,19 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ template "init-iam.fullname" . }}
+  name: indigo-iam-init-script
   namespace: {{ .Release.Namespace }}
 data:
-  init-iam: |
-    {{- include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.sh.tpl") . | nindent 4 }}
+  init-iam.py: |
+    {{- include (print $.Template.BasePath "/tests/indigo-iam/init-iam/_init-iam.py.tpl") . | nindent 4 }}
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: indigo-iam-config
+  namespace: {{ .Release.Namespace }}
+data:
+  config.yaml: |
+    {{ toYaml .Values.indigoiam.config | nindent 4 }}
 {{- end -}}
diff --git a/diracx/templates/tests/indigo-iam/init-iam/job.yaml b/diracx/templates/tests/indigo-iam/init-iam/job.yaml
index 3b638ae..4075226 100644
--- a/diracx/templates/tests/indigo-iam/init-iam/job.yaml
+++ b/diracx/templates/tests/indigo-iam/init-iam/job.yaml
@@ -1,7 +1,7 @@
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: init-indigo-iam
+  name: indigo-iam-init
   namespace: {{ .Release.Namespace }}
   annotations:
     "helm.sh/hook": post-install,post-upgrade
@@ -11,17 +11,25 @@ spec:
   activeDeadlineSeconds: {{ .Values.global.activeDeadlineSeconds }}
   template:
     spec:
-      restartPolicy: Never
       containers:
-        - name: indigo-iam
-          image: "{{ .Values.indigoiam.image.repository }}:{{ .Values.indigoiam.image.tag }}"
+        - name: diracx-base
+          image: ghcr.io/diracgrid/diracx/base:latest
           imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-          command: ["/bin/sh", "/scripts/init-iam"]
+          command: ["/bin/bash", "/entrypoint.sh"]
+          args: ["python", "/scripts/init-iam.py"]
+          env:
+            - name: CONFIG_PATH
+              value: /config/config.yaml
           volumeMounts:
           - name: scripts
             mountPath: /scripts
+          - name: config
+            mountPath: /config
       volumes:
       - name: scripts
         configMap:
-          name: {{ template "init-iam.fullname" . }}
+          name: indigo-iam-init-script
+      - name: config
+        configMap:
+          name: indigo-iam-config
       restartPolicy: Never
diff --git a/diracx/values.yaml b/diracx/values.yaml
index 859e865..3629166 100644
--- a/diracx/values.yaml
+++ b/diracx/values.yaml
@@ -330,9 +330,12 @@ indigoiam:
   enabled: true
   config:
     issuer: http://anything:32003
+    initial_client:
+      id: null
+      secret: null
   image:
     repository: indigoiam/iam-login-service
-    tag: v1.8.2
+    tag: v1.8.3.rc.20231211
   service:
     type: NodePort
     port: 8080

From 22e25ba7bff55a369e8b3894b41bdc877155807e Mon Sep 17 00:00:00 2001
From: aldbr <aldbr@outlook.com>
Date: Tue, 19 Dec 2023 08:41:30 +0100
Subject: [PATCH 3/4] feat: disable IAM by default

---
 README.md                                     |  2 +-
 demo/values.tpl.yaml                          | 19 ++++++++++++++++---
 .../{ => diracx}/deployment-cli.yaml          |  2 +-
 .../{ => diracx}/init-os/_init-os.sh.tpl      |  0
 .../{ => diracx}/init-os/configmap.yaml       |  2 +-
 .../templates/{ => diracx}/init-os/job.yaml   |  0
 .../tests/indigo-iam/deployment.yaml          |  2 +-
 .../tests/indigo-iam/init-iam/configmap.yaml  |  4 ++--
 .../tests/indigo-iam/init-iam/job.yaml        |  2 ++
 diracx/values.yaml                            |  2 +-
 10 files changed, 25 insertions(+), 10 deletions(-)
 rename diracx/templates/{ => diracx}/deployment-cli.yaml (98%)
 rename diracx/templates/{ => diracx}/init-os/_init-os.sh.tpl (100%)
 rename diracx/templates/{ => diracx}/init-os/configmap.yaml (78%)
 rename diracx/templates/{ => diracx}/init-os/job.yaml (100%)

diff --git a/README.md b/README.md
index 27b8189..0923af6 100644
--- a/README.md
+++ b/README.md
@@ -166,7 +166,7 @@ Depending on the installation you perform, some tasks may be necessary or not. T
 | indigoiam.config.initial_client.id | string | `nil` |  |
 | indigoiam.config.initial_client.secret | string | `nil` |  |
 | indigoiam.config.issuer | string | `"http://anything:32003"` |  |
-| indigoiam.enabled | bool | `true` |  |
+| indigoiam.enabled | bool | `false` |  |
 | indigoiam.image.repository | string | `"indigoiam/iam-login-service"` |  |
 | indigoiam.image.tag | string | `"v1.8.3.rc.20231211"` |  |
 | indigoiam.service.nodePort | int | `32003` |  |
diff --git a/demo/values.tpl.yaml b/demo/values.tpl.yaml
index 4c79775..a877e93 100644
--- a/demo/values.tpl.yaml
+++ b/demo/values.tpl.yaml
@@ -16,18 +16,31 @@ developer:
 
 init-cs:
   VOs:
+    # Dex:
     - name: diracAdmin
       IdP:
-        idp_url: http://{{ hostname }}:32003
-        idp_client_id: client
+        idp_url: http://{{ hostname }}:32002
+        idp_client_id: d396912e-2f04-439b-8ae7-d8c585a34790
       defaultGroup: admin
       Users:
-      - sub: 73f16d93-2441-4a50-88ff-85360d78c6b5
+      - sub: EgVsb2NhbA
         preferredUsername: admin
         groups:
           - admin
         # TODO: Integrate with dex
 
+    # IAM:
+    # - name: diracAdmin
+    #   IdP:
+    #     idp_url: http://{{ hostname }}:32003
+    #     idp_client_id: client
+    #   defaultGroup: admin
+    #   Users:
+    #   - sub: 73f16d93-2441-4a50-88ff-85360d78c6b5
+    #     preferredUsername: admin
+    #     groups:
+    #       - admin
+
 diracx:
   hostname: {{ hostname }}
   settings:
diff --git a/diracx/templates/deployment-cli.yaml b/diracx/templates/diracx/deployment-cli.yaml
similarity index 98%
rename from diracx/templates/deployment-cli.yaml
rename to diracx/templates/diracx/deployment-cli.yaml
index 79a0f68..96b3f26 100644
--- a/diracx/templates/deployment-cli.yaml
+++ b/diracx/templates/diracx/deployment-cli.yaml
@@ -16,7 +16,7 @@ spec:
         {{- with .Values.podAnnotations }}
           {{- toYaml . | nindent 8 }}
         {{- end }}
-        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx-container-entrypoint.yaml") . | sha256sum }}
+        checksum/entrypoint: {{ include (print $.Template.BasePath "/diracx/diracx-container-entrypoint.yaml") . | sha256sum }}
       labels:
         {{- include "diracxCli.selectorLabels" . | nindent 8 }}
     spec:
diff --git a/diracx/templates/init-os/_init-os.sh.tpl b/diracx/templates/diracx/init-os/_init-os.sh.tpl
similarity index 100%
rename from diracx/templates/init-os/_init-os.sh.tpl
rename to diracx/templates/diracx/init-os/_init-os.sh.tpl
diff --git a/diracx/templates/init-os/configmap.yaml b/diracx/templates/diracx/init-os/configmap.yaml
similarity index 78%
rename from diracx/templates/init-os/configmap.yaml
rename to diracx/templates/diracx/init-os/configmap.yaml
index b7ccb28..7fffc65 100644
--- a/diracx/templates/init-os/configmap.yaml
+++ b/diracx/templates/diracx/init-os/configmap.yaml
@@ -10,5 +10,5 @@ metadata:
     "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
 data:
   init-os: |
-    {{- include (print $.Template.BasePath "/init-os/_init-os.sh.tpl") . | nindent 4 }}
+    {{- include (print $.Template.BasePath "/diracx/init-os/_init-os.sh.tpl") . | nindent 4 }}
 {{- end -}}
diff --git a/diracx/templates/init-os/job.yaml b/diracx/templates/diracx/init-os/job.yaml
similarity index 100%
rename from diracx/templates/init-os/job.yaml
rename to diracx/templates/diracx/init-os/job.yaml
diff --git a/diracx/templates/tests/indigo-iam/deployment.yaml b/diracx/templates/tests/indigo-iam/deployment.yaml
index c27acd0..138fbeb 100644
--- a/diracx/templates/tests/indigo-iam/deployment.yaml
+++ b/diracx/templates/tests/indigo-iam/deployment.yaml
@@ -48,4 +48,4 @@ spec:
           - name: iam-secret
             mountPath: "/etc/indigo-iam/keystore"
             readOnly: true
-{{- end}}
+{{- end }}
diff --git a/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml b/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml
index 1c003d3..b2ca8a1 100644
--- a/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml
+++ b/diracx/templates/tests/indigo-iam/init-iam/configmap.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.indigoiam.enabled -}}
+{{- if .Values.indigoiam.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -17,4 +17,4 @@ metadata:
 data:
   config.yaml: |
     {{ toYaml .Values.indigoiam.config | nindent 4 }}
-{{- end -}}
+{{- end }}
diff --git a/diracx/templates/tests/indigo-iam/init-iam/job.yaml b/diracx/templates/tests/indigo-iam/init-iam/job.yaml
index 4075226..d8f13e9 100644
--- a/diracx/templates/tests/indigo-iam/init-iam/job.yaml
+++ b/diracx/templates/tests/indigo-iam/init-iam/job.yaml
@@ -1,3 +1,4 @@
+{{- if .Values.indigoiam.enabled }}
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -33,3 +34,4 @@ spec:
         configMap:
           name: indigo-iam-config
       restartPolicy: Never
+{{- end }}
diff --git a/diracx/values.yaml b/diracx/values.yaml
index 3629166..65d26d9 100644
--- a/diracx/values.yaml
+++ b/diracx/values.yaml
@@ -327,7 +327,7 @@ dex:
 ##########################
 
 indigoiam:
-  enabled: true
+  enabled: false
   config:
     issuer: http://anything:32003
     initial_client:

From 52de2641b83f1f0798891ecd22d822b3c45352c3 Mon Sep 17 00:00:00 2001
From: aldbr <aldbr@outlook.com>
Date: Fri, 1 Mar 2024 14:15:12 +0100
Subject: [PATCH 4/4] feat: delete the init-cs section

---
 demo/values.tpl.yaml | 27 ---------------------------
 1 file changed, 27 deletions(-)

diff --git a/demo/values.tpl.yaml b/demo/values.tpl.yaml
index a877e93..1ad14a9 100644
--- a/demo/values.tpl.yaml
+++ b/demo/values.tpl.yaml
@@ -14,33 +14,6 @@ developer:
   editableMountedPythonModules: {{ editable_mounted_modules }}
   mountedNodeModuleToInstall: {{ node_module_to_mount }}
 
-init-cs:
-  VOs:
-    # Dex:
-    - name: diracAdmin
-      IdP:
-        idp_url: http://{{ hostname }}:32002
-        idp_client_id: d396912e-2f04-439b-8ae7-d8c585a34790
-      defaultGroup: admin
-      Users:
-      - sub: EgVsb2NhbA
-        preferredUsername: admin
-        groups:
-          - admin
-        # TODO: Integrate with dex
-
-    # IAM:
-    # - name: diracAdmin
-    #   IdP:
-    #     idp_url: http://{{ hostname }}:32003
-    #     idp_client_id: client
-    #   defaultGroup: admin
-    #   Users:
-    #   - sub: 73f16d93-2441-4a50-88ff-85360d78c6b5
-    #     preferredUsername: admin
-    #     groups:
-    #       - admin
-
 diracx:
   hostname: {{ hostname }}
   settings: